Skip to end of metadata
Go to start of metadata

The OAuth authorisation module allows for registering different client applications, which enables having a different authorisation policy for different clients.

See the page OAuth authorisation and authentication for details on how to implement authorisation and authentication in your client application.

Every client has a clientId, a clientSecret, one or more grant types (how a client can get an access token), and one or more allowed redirect URIs.
These can be configured in the Grails configuration file .grails/transmartConfig/Config.groovy in the grails.plugin.springsecurity.oauthProvider.clients property.

In recent versions of transmart, including the just_rest branch, which use a newer version of the oauth plugin, the clients are registered in a separate database. Nevertheless, the application will, on startup, sync the contents of that configuration key.

The default configuration as generated from Config-template.groovy by transmart-data contains the following configuration that deals with client registration:

def glowingBearRedirectUris = [
        transmartURL - ~/transmart\/$/ + '#/login',
]
if (transmartURL.startsWith('http://localhost:')) {
    // for dev, node reverse proxy runs on 8001
    glowingBearRedirectUris << 'http://localhost:8001/#/login'
}
clients = [
    [
        clientId: 'api-client',
        clientSecret: 'api-client',
        authorities: ['ROLE_CLIENT'],
        scopes: ['read', 'write'],
        authorizedGrantTypes: ['authorization_code', 'refresh_token'],
        redirectUris: [transmartURL + 'oauth/verify']
    ],
    [
        clientId: 'glowingbear-js',
        clientSecret: '',
        authorities: ['ROLE_CLIENT'],
        scopes: ['read', 'write'],
        authorizedGrantTypes: ['implicit', 'password'],
        redirectUris: glowingBearRedirectUris,
    ],
]

The scopes property is currently not used.

The authorizedGrandTypes property can have the following values:

ValueDescription
authorization_codeThe authentication server will return an authorization code, which can be used to obtain an access token
using  POST /oauth/token with grant_type=authorization_code and code the returned authorization code.
implicitAllows for response_type=token, which will pass the access token redirectly in the redirect URI.
refresh_tokenAllows for refreshing the access token using a refresh token. The refresh token is received together with the
access token.
passwordAllows for passing grant_type=password to oauth/token, which means that the authorisation step with
oauth/authorize is not needed.

 

The following code has optional settings you can use to influence whether the refresh token should be reused and the expiration times of the tokens. You can put it near the end of the generated out-of-tree Config.groovy (~<tomcat user>/.grails/transmartConfig/Config.groovy).

grails { plugin { springsecurity { oauthProvider {
    tokenServices {
        reuseRefreshToken = true // let the refresh token stay the same after using it
        accessTokenValiditySeconds = 60 * 60 * 12 // 12 hours access token validity. Set to null for indefinite validity. 
        refreshTokenValiditySeconds = 60 * 60 * 24 * 365 // year long refresh token validity. Set to null for indefinite validity.
    }
} } } }
  • No labels